volatility

Volatility is tool that can be used to perform memory forensics.

 

Volatility Cheatsheet - Memory Forensics CTF

Installation -

sudo apt install volatility  

or  

git clone https://github.com/volatilityfoundation/volatility
cd volatility
python vol.py
 

Step.1 Finding Profile of Memory Dump File

volatility -f Path_To_file imageinfo 

Basic Command -

volatility -f Path_To_file --profile=Profile_Name  Plugin_Name 
 

Step.2 Using Plugins 

1.To list all processes - pslist
  ex - volatility -f Path_To_file --profile=Win7SP1x64 pslist
2.To see Hidden Processe - psxview
  ex - volatility -f Path_To_file --profile=Win7SP1x64 psview
3.To list executed Commands - cmdscan
  ex - volatility -f Path_To_file --profile=Win7SP1x64 cmdscan
4.To see the output of executed Commands- consoles
  ex - volatility -f Path_To_file --profile=Win7SP1x64 consoles
5.To see clipboard content - clipboard
  ex - volatility -f Path_To_file --profile=Win7SP1x64 clipboard
6.To see Enviorment Variables - envars
  ex - volatility -f Path_To_file --profile=Win7SP1x64 envars
7.Scan Files - filescan 
  (Hint- grep folders like Documents/Downloads/Desktop and try grepping words like .kdbx,.rar,.zip,png,bmp,jpg/jpeg,important,Pass/Password)
  ex - volatility -f Path_To_file --profile=Win7SP1x64 filescan | grep Documents
8.Dumping Files - dumpfiles -Q Hex location -D Destination

  ex - volatility -f Path_To_file --profile=Win7SP1x64  -Q 0x0000000017663e7 -D .

9.Dumping Memory of a particular processes - memdump
          memdump -P (pid) -D (Destination path)
  ex - volatility -f Path_To_file --profile=Win7SP1x64 memdump -P 231 -D .
 
10.To see processes commands - cmdline
          cmdline -P (pids of ps)
  ex - volatility -f Path_To_file --profile=Win7SP1x64 -P 123,234
11.To see deleted files or files modified and creation Date - mftparser
  ex - volatility -f Path_To_file --profile=Win7SP1x64 mftparser
12. To see last Shutdown Time - shutdowntime
  ex - volatility -f Path_To_file --profile=Win7SP1x64 shutdowntime
13. To Dump Screenshots - screenshot -D (path)
  ex - volatility -f Path_To_file --profile=Win7SP1x64 screenshot -D .
14. Grepping Interesting Things -      
  strings Challenge.raw | grep "Mega"
  strings Challenge.raw | grep "Pastebin"
  strings Challenge.raw | grep "Passwords" 
  strings Challenge.raw | grep "Flag{" 
   

External Plugins

To use install extra plugins like chrome history and Firefox history just clone github repo https://github.com/superponible/volatility-plugins

Practice

For practicing memory forensic there is a very good GitHub repo having 6 challenges from basics to advance to practice memory forensics challenges.
https://github.com/stuxnet999/MemLabs

For Windows

if we are using windows we can also use Auto-spy software to perform memory forensics
Previous Post Next Post
–>